[00:00.580 --> 00:04.060]  Hi Voting Village. My name is Forrest Senti. I'm the Director of Business and Government Affairs
[00:04.060 --> 00:08.580]  at the National Cyber Security Center. I'm Caleb Gardner. I'm a fellow at the National
[00:08.580 --> 00:12.380]  Cyber Security Center and Secure the Vote. And we're going to be presenting you our
[00:12.380 --> 00:16.200]  Hack-a-Fax presentation today. For a little background to start,
[00:16.980 --> 00:22.340]  National Cyber Security Center is a 501c3 centered in Colorado Springs. A lot of our focus has to do
[00:22.340 --> 00:27.640]  with cyber innovation awareness and a lot of our projects have to do with tackle global problems,
[00:27.640 --> 00:33.380]  smart cities, elections, space. Some of our colleagues in the Space ISAC are presenting
[00:33.380 --> 00:37.340]  today in the Aerospace Village. We want to give them good congratulations and a shout out over
[00:37.340 --> 00:42.260]  there. But the big reason why we're here today ultimately is that we want to talk about the gap,
[00:42.760 --> 00:47.080]  the security gap. And specifically it has to do with policy in addition to the different
[00:47.080 --> 00:52.500]  agencies and groups. A lot of people ask why NCC? Why us? Why do we care about some of these issues?
[00:52.500 --> 00:55.800]  And the reality is that between the different groups that exist in the United States that are
[00:55.800 --> 01:00.480]  multi-agency, multi-party, multi-policy, you know, depending on where you come from,
[01:00.480 --> 01:04.740]  whether it's the Election Security ISAC, groups like Verified Voting, MIT, even places like the
[01:04.740 --> 01:10.880]  EIC, CISA, CIS, all serve a specific segment. But our focus is on identifying gaps in critical
[01:10.880 --> 01:15.280]  infrastructure. And the presentation you're going to hear from us today is going to be talking about
[01:15.280 --> 01:21.380]  that gap. One gap we've identified specifically has to do with the population affecting the
[01:21.380 --> 01:27.480]  overseas voter or UOCAVA. This is specific to the Uniformed and Overseas Citizens Absentee Voting
[01:27.480 --> 01:32.460]  Act. Many of you here at the Voting Village, it's going to be no secret and surprise to you.
[01:32.540 --> 01:35.820]  You know what this means. You know how many people and, you know, kind of the different
[01:35.820 --> 01:40.280]  challenges these people face, whether they're voting from Afghanistan or Italy or even from a
[01:40.280 --> 01:46.520]  remote jungle, the Amazon. So a lot of what we're focused on today is on this area.
[01:46.520 --> 01:50.480]  So one of the pieces I want to call out is specific to fax machines, like we mentioned
[01:50.480 --> 01:55.340]  early on. Under the current implementation of the Move Act that was established in 2009,
[01:55.340 --> 02:02.100]  31 states currently allow for ballot return via email and fax. This means that these 31 states
[02:02.100 --> 02:06.320]  have to provide a place for these people that are voting from overseas to provide
[02:07.420 --> 02:11.520]  a place for them to send their ballot via fax or email. So knowing this information
[02:11.520 --> 02:15.940]  and us seeing this different research that was coming out, we wanted to do a quick breakdown
[02:15.940 --> 02:22.720]  and see how many ballots were actually transmitted back in 2018. According to the EAC, roughly 29,000
[02:22.720 --> 02:27.820]  ballots were sent. Now, this is under the category of others. So some of these in there could be
[02:27.820 --> 02:32.100]  mobile voting from West Virginia or a web portal like in Colorado, Montana, Arizona, or Michigan.
[02:32.860 --> 02:37.260]  But 29,000 ballots, although not statistically significant to the rest of the United States,
[02:37.260 --> 02:42.540]  still represents a population that is voting using this method. And this shows that election
[02:42.540 --> 02:47.460]  offices are still allowing for this method and pushing for it, even in some cases. Although it
[02:47.460 --> 02:51.720]  has been on the decline, it's important to note that security is still paramount for every single
[02:51.720 --> 02:55.500]  vote that comes out. So now I'll hand it over to Caleb, who's going to talk a little more about
[02:55.500 --> 03:00.320]  the research that we did specific to fax machines and election jurisdictions and kind of give you
[03:00.380 --> 03:05.040]  a little more of the issue right now. Thanks, Forrest. So first off, we're going to reference
[03:05.040 --> 03:10.220]  you guys back to some presentations that probably made an impression on you when you first saw them.
[03:10.220 --> 03:15.660]  They were specifically focused on fax and printer faxes. So first off, in DEFCON 26, we saw lots of
[03:15.660 --> 03:20.840]  fax from checkpoint research. And that was a big sticking point for me. And we came back to that a
[03:20.840 --> 03:25.960]  lot as we went to do our own research and talk to other counties and cities. So we'll move to the
[03:25.960 --> 03:31.880]  next slide. And what checkpoint research really showed us was that it was impossible to exploit
[03:31.880 --> 03:38.120]  printer fax just with a publicly available fax number. No city or county that I looked for,
[03:38.120 --> 03:42.440]  their fax number was not available. Every single time I could find it for the city clerk or the
[03:42.440 --> 03:45.760]  county clerk, and which is where you'd be submitting your vote for if you were one of these
[03:45.760 --> 03:52.320]  blue collar voters. So using that phone number, checkpoint research was able to hack printer fax.
[03:52.320 --> 03:56.880]  And actually, they were also able to get to the network behind that printer fax if there was a
[03:56.880 --> 04:01.800]  flat network topology with no segmentation. So we'll talk about how they did that really fast.
[04:01.800 --> 04:07.460]  They discovered that in the T30 protocol, we have access to both the data and the headers.
[04:07.460 --> 04:12.160]  This enabled us to have full control of the JPEG file. So that's why we use JPEG over any other file
[04:12.160 --> 04:17.920]  type. And over the PSTN networks, the publicly switched telephone network, we are able to get
[04:17.920 --> 04:24.460]  to that printer fax and use the proprietary JPEG parser. They specifically looked at HP, but this
[04:24.460 --> 04:29.240]  is probably going to be the case for any of the big solutions. If that's Xerox, if that's HP, if
[04:29.240 --> 04:33.000]  that's someone else, they're probably implementing their own JPEG parser rather than using some sort
[04:33.000 --> 04:39.200]  of open source publicly known secure parser. So since they did that themselves, they found a lot
[04:39.200 --> 04:44.080]  of CVEs in there. They found a buffer overflow with parts and gauge T-markers. And with that,
[04:44.080 --> 04:47.960]  they had a controllable stack-based overflow. They could do anything with it, and they were able to
[04:47.960 --> 04:52.820]  get a great exploit, which they put on eternal blue to the rest of the network. And so it was
[04:52.880 --> 04:58.860]  a really great demonstration in DEF CON 26. What could you do with this? A lot. Practically
[04:58.860 --> 05:02.660]  everything. You have confidentiality attacks, integrity attacks, and availability attacks. You
[05:02.660 --> 05:07.880]  have a full CIA triad. You're seeing voter registration info, particularly if you're
[05:07.880 --> 05:12.420]  getting through to the network behind these printed faxes. You're seeing ballots, hopefully
[05:12.420 --> 05:19.440]  not, but potentially. And you are able to maybe change those ballots. That's something that we're
[05:19.440 --> 05:22.860]  going to look at in the future, is if we can get into one of these printed faxes, can we get to
[05:22.860 --> 05:27.460]  those ballots, or can we get the incoming ballots and change them before they're stored? And also
[05:27.460 --> 05:32.060]  you have availability attacks. You're potentially able to bring down an entire city or county's
[05:32.060 --> 05:36.720]  infrastructure for receiving votes for that election, which would make a recount necessary,
[05:36.720 --> 05:40.180]  which would make a lot of bad things happen. Obviously, we don't want to be saying.
[05:40.880 --> 05:43.600]  So we're going to research. We did some confidential research with different cities and
[05:43.600 --> 05:48.840]  counties, and we have to keep that confidential. We are under NDA, but we can generalize. We can
[05:48.840 --> 05:54.560]  say what are the rough takeaways we're seeing from two main different types of cities. First off,
[05:54.560 --> 05:58.940]  we have City A. This is your medium to large size city. They probably have good infrastructure
[05:58.940 --> 06:03.560]  investment in IT. They're probably able to actually hire talented IT professionals who
[06:03.560 --> 06:07.420]  are security conscious, and they're able to enforce strict adherence to best practices
[06:07.420 --> 06:11.620]  with regards to security. These are all great things, and you're probably going to see a pretty
[06:11.620 --> 06:18.100]  secure printed fax implementation. We did when we were looking at these types of cities. City B,
[06:18.100 --> 06:23.000]  however, is the city that we talk about pretty much every time DEF CON rolls around with Voting
[06:23.000 --> 06:28.180]  Village. They're the ones who are still running the DREs that we have shown vulnerabilities in
[06:28.180 --> 06:31.800]  every year. You know, it's obviously a broken system that they're still implementing,
[06:31.800 --> 06:34.520]  but they're not going to spend the money to fix it. They're not going to spend any money to
[06:34.520 --> 06:39.540]  become security conscious. So probably a really poor mismanaged IT department,
[06:39.540 --> 06:42.920]  and they probably don't have good patching policies or security posture.
[06:44.560 --> 06:49.000]  So looking at City A in more in-depth, the things that they have that makes them stand apart from
[06:49.000 --> 06:53.800]  other cities is that they have usually segmented networks. This keeps their printer fax separate
[06:53.800 --> 06:58.080]  from their data servers. It keeps them separate from their employee workstations, and it's even
[06:58.080 --> 07:03.240]  segmented on a very in-depth level. So every fire station and police station, there would be those
[07:03.240 --> 07:06.820]  three things, the data servers, the workstations, and the print servers, would all be different
[07:06.820 --> 07:11.020]  things in every single location. So it's an extremely segmented network that keeps you from
[07:11.020 --> 07:16.140]  getting to a lot of access through that one printer fax. So basically City A knows that
[07:16.140 --> 07:20.160]  printer fax is a potential point of intrusion. They probably have good patching policies for
[07:20.160 --> 07:24.780]  the printers. Hopefully they have multifactor in general, and also for the printer fax servers.
[07:24.780 --> 07:31.560]  They're probably using fax over IP over PSTN fax, T38 over T30. City B, however, doesn't have
[07:31.560 --> 07:36.400]  any of these things, practically. At a flat-nerve topology, you exploit the printer fax, you exploit
[07:36.400 --> 07:41.620]  the network. They have bad patching, bad multifactor authentication implementation, and bad security
[07:41.620 --> 07:50.680]  posture. So if you're City B, you're thinking, well, does this apply to me? How can I know?
[07:50.680 --> 07:55.840]  Our high-level attack overview is specifically geared towards what Checkpoint Research did
[07:55.840 --> 08:01.960]  in showing that specifically is the HP OfficeJet Pro 6830 online printer. However, it wasn't the
[08:01.960 --> 08:05.540]  printer that had the vulnerability, it was HP's implementation of the JPEG parser, if you
[08:05.540 --> 08:11.560]  remember. So HP released a security bulletin in July 2018 talking about this, providing patches.
[08:12.140 --> 08:17.660]  However, maybe not all of City B saw that. Maybe they didn't apply that patch, maybe they didn't
[08:17.660 --> 08:23.680]  think to apply the patch, they're not even keeping in track with their recycled machine. These
[08:23.680 --> 08:27.400]  sorts of things are not important to lots of cities, and they're not going to look at security
[08:27.400 --> 08:33.220]  patches when they're available for them. So I would recommend, if you're City B, looking to see
[08:33.220 --> 08:37.720]  if you have an HP printer. Did you buy it after 2018, before 2018? Did you apply a patch if you
[08:37.720 --> 08:42.120]  bought it before 2018? And if you didn't, and you're using PSDN, you're probably susceptible
[08:42.120 --> 08:47.460]  to this attack right now. NIST has some things to say about it as well. NIST says that there's
[08:47.460 --> 08:52.620]  no widely used standard for fax encryption. Thus, information sent by fax is at risk for the
[08:52.620 --> 08:57.160]  possible interception or modification. Jurisdictions should carefully weigh the risks of fax transmission
[08:57.160 --> 09:02.100]  over other alternatives. So this is a big deal, and I think this is one of the biggest
[09:02.720 --> 09:06.500]  vulnerabilities that we're seeing in fax, and the thing that we'd like to see changed most in the
[09:06.500 --> 09:12.840]  future is the unencryption of it. And we would like to see a default encryption method used on
[09:12.840 --> 09:17.960]  fax in the future. T38 making encryption standard rather than optional would probably
[09:17.960 --> 09:22.340]  be a great step in that direction. They also stress the secure location of fax machines,
[09:22.340 --> 09:27.080]  because often with T30, voting records or registration info might be actually still
[09:27.080 --> 09:31.680]  stored on that machine as it comes through, unbeknownst to the user. So physical access
[09:31.680 --> 09:38.060]  would allow access to all those PII. T38 and T30, we'll go over that really quickly if we haven't
[09:38.060 --> 09:43.180]  gone enough over it already. So PSPN, that's going to be T30. It's going to be unencrypted,
[09:43.180 --> 09:47.880]  and it's not real-time. T38 is the future that we're currently living in, but we also need to
[09:47.880 --> 09:53.900]  see the future as far as encryption implementations. So we saw Babytel as a company, and they have an
[09:53.900 --> 09:58.640]  AES implementation that's very useful for companies that are regulated and that are
[09:58.640 --> 10:04.200]  mandated to use potentially unsecure networks along the way towards the delivery to the user.
[10:04.200 --> 10:09.140]  However, this AES implementation by Babytel isn't ensuring that you will have encrypted
[10:09.140 --> 10:13.840]  transport all the way across. So more stuff like that is what we need to see on a default level
[10:13.840 --> 10:18.300]  in the industry, and we're not seeing right now, which is why we're talking about it and getting
[10:18.300 --> 10:24.780]  that on the record. So fax security versus public perception. The big issue we kind of based in
[10:24.780 --> 10:30.300]  pushback from different cities and counties was that they say that only maybe the last faxed out
[10:30.300 --> 10:34.300]  they received was 2012, and that's eight years ago. So they don't think about it at all. It doesn't
[10:34.300 --> 10:38.260]  cross their minds, and since they don't see it on a daily basis, they ask themselves, why do we need
[10:38.260 --> 10:43.860]  to secure this? It doesn't seem like a security risk. But the point is, is that zero bouts need
[10:43.860 --> 10:47.440]  to be cashed for it to be a security risk. The fact of the matter is that having your publicly
[10:47.440 --> 10:53.180]  available city or county clerk number online, and knowing, and malicious actors knowing that that's
[10:53.180 --> 10:57.640]  the phone number they need to have access to if they need to hone that printer, or print a fax,
[10:57.640 --> 11:02.220]  that's all they need. And if you are not patched, if you're on a potentially vulnerable solution,
[11:02.640 --> 11:06.500]  that's it. You're done. That printer fax is done. You're potentially putting yourself up for
[11:06.500 --> 11:11.740]  integrity tax at the very least, confidentiality, and availability if you have bad network topology
[11:11.740 --> 11:16.520]  solutions. So we face a lot of pushback, but we definitely need to acknowledge that that's
[11:17.020 --> 11:20.440]  the issue, is the root of the matter, is having a publicly available phone number.
[11:21.140 --> 11:25.220]  So let's talk about the security gap analysis as we move towards a future state. Well, what do we
[11:25.220 --> 11:30.440]  want to see? Well, like we talked about, we want to see encryption. We want to maybe even see fax
[11:30.440 --> 11:34.760]  no longer being a needed method for transmission. But the reality is that many industries don't
[11:34.760 --> 11:39.700]  rely on fax. Medical is 70% of all medical transmissions. But maybe elections doesn't
[11:39.700 --> 11:45.480]  have to be one of those industries where fax is reality. So what are we going to do in the future
[11:45.480 --> 11:50.500]  as we continue to work on this with Secure the Vote? Well, we want to reconstruct the fax ploy,
[11:50.500 --> 11:55.540]  but we also want to demonstrate it with the T38 fax protocol and fax over IP. Because a lot of what
[11:55.540 --> 12:00.520]  we're seeing from cities and counties, well, we do do fax sometimes, but it's all electronically.
[12:00.720 --> 12:07.040]  And sometimes for these city B or county B scenarios, IP just means security to them.
[12:07.040 --> 12:12.120]  Over the internet means security. Maybe they have some sort of bias against phone lines but not IP
[12:12.120 --> 12:15.520]  when that's not the case. And so we need to demonstrate that exploit to various election
[12:15.520 --> 12:20.740]  officials around the country and show fax is insecure and it can be changed. And we need to
[12:20.740 --> 12:25.460]  make sure that this is a secure place to secure our votes and to secure our democracy. So we're
[12:25.460 --> 12:30.960]  going to continue to raise awareness about fax and security. So why now? Well, for one thing,
[12:30.960 --> 12:36.660]  COVID-19 has made this a very interesting age and potentially could drop voter turnout as people
[12:36.660 --> 12:43.600]  cannot come out to physical voting locations. And maybe jurisdictions will look to things
[12:43.600 --> 12:48.240]  traditionally offered to OPAPA and offering that to the general public. So fax, the web portals,
[12:48.240 --> 12:54.260]  the mobile voting. And we need to be very conscious when we look at adding fax to the
[12:54.260 --> 12:59.780]  general public, because that is adding a huge attack surface. And that's adding many, you know,
[12:59.780 --> 13:03.880]  the millions more votes that could potentially be cast by fax, even though we probably won't see
[13:03.880 --> 13:08.640]  millions of votes cast by fax. The potential is the point. And that potential millions of votes
[13:08.640 --> 13:15.760]  that can be changed or maliciously attacked is a very juicy target for nation states, maybe,
[13:15.760 --> 13:20.660]  that are looking to influence it. So we need to keep that in mind as we potentially add fax in
[13:20.660 --> 13:26.180]  for more people. So if it does get added, we need to look at it very security-minded as an emergency
[13:26.180 --> 13:30.520]  ballot return method, not as something that everybody should think about doing over anything
[13:30.520 --> 13:35.760]  else. Election officers should probably secure, perform security audits on their fax machines to
[13:35.760 --> 13:38.940]  make sure, you know, potentially if you are exactly what we've been talking about, these HP
[13:38.940 --> 13:43.520]  printers, that you bought it after 2018 and it has a security patch applied, all that good stuff.
[13:43.520 --> 13:48.700]  Because if it's not, that's the first step of the rest that's fixing this situation. So short-term
[13:48.700 --> 13:53.260]  recommendations. If you're a position of power, you need to talk to your IT department about these
[13:53.260 --> 13:57.940]  things that we've been talking about. Specifically, do you have security posture like multi-factor?
[13:57.940 --> 14:01.900]  Do you have that already strong across your IT department? And do you have that for your
[14:01.900 --> 14:06.400]  printer fax service? Do you have a segmented network topology that will help you defend from
[14:06.400 --> 14:10.160]  these confidentiality and availability attacks that we've been talking about? And even the
[14:10.160 --> 14:14.440]  integrity attacks that will keep the printer fax from exploiting the rest of your election
[14:14.440 --> 14:19.780]  network? And do you have a patching policy? Are you even security conscious about the network
[14:20.720 --> 14:25.000]  machines that you have in your office? If you don't have these things or you don't know,
[14:25.000 --> 14:28.340]  I would definitely recommend talking to your IT department about this and try to
[14:28.340 --> 14:34.420]  secure your network by this fall. And in the farther future, we need to talk about how T38
[14:34.420 --> 14:40.020]  fax over IP using encrypted solution should be the standard, the default, and what everyone is
[14:40.020 --> 14:45.540]  using, especially in this election context. The real-time faxing for everyone so we're not storing,
[14:45.540 --> 14:54.200]  especially unbeknownst to the users, voter records on these fax machines. And the T30 having an
[14:54.200 --> 14:57.700]  encryption protocol would also be great because a lot of people are still going to be stuck on
[14:57.700 --> 15:03.840]  legacy systems for various reasons. And having encryption for that would be great as well.
[15:04.100 --> 15:09.600]  So the medical industry has actually had a little bit of a commerce towards eliminating fax. They
[15:09.600 --> 15:14.080]  said they would do it by 2020 for one of the main providers for fax solutions for medical companies.
[15:14.080 --> 15:17.980]  It hasn't happened yet, you know, it's been a crazy time, but they're definitely looking
[15:17.980 --> 15:22.220]  at getting the right fax. So can we maybe eventually follow the medical industry?
[15:22.220 --> 15:26.820]  It's a great question, something we're looking at in the future. So what's the point of all this?
[15:26.820 --> 15:31.640]  With all of 2020's craziness leading down to the end of 2020, everything that's happened,
[15:31.640 --> 15:35.260]  this election is going to be of tantamount importance, obviously. So we cannot let
[15:35.260 --> 15:39.320]  this opportunity to further secure America's democracy go unspoken. That's all that we're
[15:39.320 --> 15:43.380]  about here at Voting Village, is showing exploits, showing vulnerabilities, and saying
[15:43.940 --> 15:48.420]  we are not securing our democracy properly if we really care. And fax is one of those things,
[15:48.420 --> 15:51.820]  even though it's a few ballots, it's a few ballots, and those few ballots matter.
[15:51.820 --> 15:57.360]  So at the same time, can we leverage you guys? Can we say, if you guys have a fax machine,
[15:57.360 --> 16:00.300]  if you're interested, if you want to keep following this up, how about you hack your
[16:00.300 --> 16:04.300]  fax machine? Post about it with hashtag hackafax, and we'll be able to see that,
[16:04.300 --> 16:07.860]  and we'll be able to continue looking at that, and showing that to officials as we
[16:07.860 --> 16:13.900]  go about the country for the next few years with Secure the Vote. So that's what we have.
[16:14.240 --> 16:18.760]  I've been Caleb Gardner. I'm Forrest Adu. And we're with the National Cyber Security Center,
[16:18.760 --> 16:21.360]  and that's a hackafax. Cool. Thanks, guys.
